[ Sunday, January 22, 2017 ]
What's wrong with this picture?
Jeff [11:33 PM]
Someone stole a USB "pen drive" from MAPFRE Life Insurance Company of Puerto Rico
. The storage device had PHI on it, including names, DOB, and SSN of 2200 people. No risk analysis, no risk management plan, and no encryption plan. OCR levied a fine for these HIPAA violations of $2.2 million (which is supposedly "low" because of the tenuous financial condition of the entity).
So, what's wrong? You should be asking, Hmmm, how come OCR is fining a life insurance company
? That's what I thought, since life insurance companies are not "covered entities" under HIPAA. Well, there is an explanation: MAPFRE also offers personal and group health insurance plans, thus making it a covered entity. Mystery solved.
Blogger: HIPAA Blog - Edit your Template